Jeff,
GPO would definitely be a good way to do
this, disallowing any change to the desktop.
You could also point the GPO to a specific
desktop with folder redirection so your users would get a predefined desktop,
allowing you to create different GPOs with different
desktops.
That way,
I have some information and an idea on how
to do this but wanted to get some input.
Basically creating a new workstation build
with XP sp2. They want it where the users cannot change their desktop
(i.e put files on the desktop) or if they do when they logout any changes
go away.
Title: RE: [ActiveDir] 64 Bit?
I have worked with several environments that had 64bit DCs. All had DITs that were >=8GB in size.
What sorts of questions do you have?
~Eric
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ayers,
All:
Is anyone looking at using the 64 bit platform for their AD domain
controllers? We're doing a life cycle replacement of our hardware next year
and was wondering if anyone has gone down this path. I sat though some of
the Web casts but is there anyone running 64 bit in the "real world" ;-)
What we did in our environment was:
-
disabled the links of DDP/DDCP to domain object and Domain
Controllers OU
-
remove “Group Policy Creator Owners” from the ACL of “CN=Policies,CN=System,DC=domain,DC=com”
and added our own group with permissions to create objects in the
Check to see under the view pull
down menu if "users, groups and computers as containers" is selected. If it is
selected, select it again to unselect the option
Regards,
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine
AllenSent: maandag 8 november 2004 16:5
Hi,
In my opinion you should enable scavenging on at least one DC/DNS server and
at a max on 2 or 3 DC/DNS server where you at least have one or two backup
scavenging DC/DNS servers (already included in the total DC/DNS servers that
are configured for scavenging). Reason: why should all DC/DNS se
>>Isn't that only true if you aren't using Windows 200X for DHCP services?
Possibly. I have not personally seen a difference in the behavior, though. I
also do not agree with the document. Test it out, in a lab. Scavenging and
aging confuses me, and I try very hard to get a handle on it. I sugges
good point Darren, thanks. I'll have a closer look at
these and compare them to the settings we've had.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-EliaSent: Monday, November 08, 2004 5:43 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Issues with W
Guy's it's not really worth going back-and-forth, and it's filling up my inbox.
Modify whatever you want. Sorry for bringing it up.
I, however, never modify the default policies. Instead I create custom policies
and prefix with "Accutest" (my company name) so that they stand out, and attach
the
http://groups.google.com/groups?hl=en&lr=&threadm=066201c3a88d%24d3bd75d0%24
a101280a%40phx.gbl&rnum=6&prev=/groups%3Fq%3Devent%2520id%25204010%26hl%3Den
%26lr%3D%26sa%3DN%26tab%3Dwg
I can say I don't care for this solution, but the cause is possible. What
have you done to troubleshoot the reco
Title: Re: [ActiveDir] ADPREP /forestprep
It's used for management of application assignment to users and OUs.
See http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=""> for a reference point.
As a practical point, I haven’t seen anyone ma
Title: Re: [ActiveDir] XP SP2 and AD
Have you actually removed it from that other domain?
Have you tried it logging on with the actual “Administrator” account and not “logged on as an administrator.”...?
I doubt it’s a DNS issue if the option to change from workgroup to domain membership is gr
Make sure you are pointed to a DNS server
with the srv records, and not just some DNS that has nothing but an (A) record
for the domain.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Monday, November 08, 2004
1:28 PM
To: [EMAIL PROTECTED]
Title: Message
It is
an OEM version. It was on an NT domain before.
-Z.V
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W
(Ken)Sent: Monday, November 08, 2004 1:38 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] XP SP2 and
AD
Be
sure the machine is runn
Isn't that only true if you aren't using Windows 200X for DHCP services?
>From the DNS whitepaper it says:
To ensure that no records are deleted before the dynamic update client has
time to refresh them, the refresh interval must be greater than the refresh
period for each record subjected to sca
I just ran the forestprep and have a question for everyone, what is the
new tab COM+ used for in ADU&C? You will see if when viewing the
properties of a user.
Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]
Title: .Net Sid conversion Function
There is also good stuff on www.pinvoke.net and there is a nice managed
wrapper for all the .NET Security APIs (SIDs, tokens, ACLs, etc.) on GotDotNet:
http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af
Just to clarify my earlier statement: If
your connection between the Ciscos isn’t 100%
steady, it might take just those few millisecs too
long for the VPN to get put up, especially if you’re going for more than
the standard 3DES-MD5 sort and configure nifty requirements on the VPN.. in the
On a few occasions I’ve seen this
give some rather annoying results if the connection between the Cisco’s
is not 100% reliable.
But if you’re gonna
use the Cisco’s in a VPN Server – Client config
with a decent line and there aren’t any restrictions firewall-wise, it
should work decently.
Title: Message
Be
sure the machine is running XP Professional with SP2. If it is running XP
Home with SP2, it can't join a domain.
Ken Adams
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Za VueSent: Monday, November 08, 2004 1:28
PMTo: [EMAIL
I got a Dell laptop running XP SP2 that cannot join
Active Directory. The option to join the domain is grey out. Yes, I am
logged in as an administrator. I can ping and even remote desktop into the PDCs.
Other machines in the office have no problem join the
domain.
I have added the domain
Depending on how large your environment is, you may be best served by just
doing regular scavenging as a part of your weekly/bi-weekly/monthly
maintenance. The reason I say this is that the Scavenging option you see in
the GUI is a little bit hard to get a handle on.
dnscmd /startscavenging will
Hello Collective List Wisdom ;)
I’ve just been tasked with setting
up our AD to replicate over a Cisco Pix VPN. I’ve assembled some links
now to various Microsoft articles and Cisco articles regarding most facets of
what will be involved. What I’m looking for are any “Gotcha’s”
from
That also might explain why your test environment
did not have these issues and your production environment did.
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, November 08, 2004
11:43 AM
To: [EMAIL PROTECTED]
Subj
What's the recommended best way to have scavenging set
up? Enable on all your AD integrated DNS servers, or enable on one and let
it replicate to all the others? Also, if our DHCP lease time is 5 days,
would 7 days be an appropriate scavenging
time?
~~~
Guido-
You might want to check the Win2K security hardening guide
templates as a culprit. Those have a tendency to make a lot of changes to file,
registry and service security. If one or more of those were imported into the
GPO, that could explain the fun you've had.
Darren
From: [EMAIL
Thanks Willem - I was definitely thinking along the same
lines - especially rgd. removal of rights to the default policies and creating a
special group for it that's empty be default (similar to leaving the Schema
Admins empty, which I always do until it's required for
something).
/Guido
Hi,
Running w2k sp4 AD
and I just ran forestprep and domainprep this weekend. Everything
looks good, however now when I use ad users and computers on the domain
controller that I ran forest prep on I cannot modify object by double clicking
on them. Nothing shows up. I need to right clic
Title: .Net Sid conversion Function
There is an example here written in C#:
http://www.codeproject.com/csharp/getusersid.asp
(for the sid-to-string function you’ll
need to scroll down)
r/
Lou
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf O
I have had similar issues before at
customer sites with apps modifying the DDP and DDCP, although none this bad. ADMT
is a notorious offender. I am seriously tempted to fix it in the
following way:
-
create a
new DDP/DDCP (new name of course) with highest prio. Edit any additi
Title: .Net Sid conversion Function
Is anyone aware of a .Net function to convert the binary form of a sid to the string form and vice versa? I have found the c++ functions but I am trying to work specifically within the .Net framework.
Hi,
We have an NT4 domain and are migrating to W2K3 AD. The trusts between the
two work OK.
We also have the following configuration though when we created the W2K3 AD
domain: "Permissions compatible with pre-Windows 2000 servers" to enable
anonymous access for services during the migration.
If
You can get the same thing with DNS.
Whatever the cause, it's highly likely that it's a network
related issue and should be looked at that way. Whether it's an issue with
breaking up packets incorrectly, UDP, etc, that type of behavior is often seen
with network issues.
Your drivers s
Title: Ladies and Gentleman, A complex AD/Exchange issue.
I see where you're going with this, but I have to admit
that I'm not a fan of keeping the user data laying around. Here's why: one
thing the regulations have in common is that they all are going after the
access/entitlement issues. T
Return Receipt
Your RE: [ActiveDir] Removing read only folder attributes in
document: SYSVOL
We have created a two-way trust between an W2K3 domain (freshly installed)
and an existing NT domain using the MS documentation on how to create a
trust so that we can conduct a migration.
However, our trust seems to fail after about five minutes of activity and we
receive an event log error 321
You could create a new policy at the domain level that would allow you to do
these things. I however modify the Default Domain Policy for these things.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, November 05, 2004 10:20 PM
Hello folks,
I've just had a very curious issue at a customer, which
took us a while to figure out. You should all be aware of this as it could hurt
you as well. After testing everything successfully in the lab (and
ADPREPing the production forest + domains), we've inplace-upgraded the fir
You don't need a C program if you can be sure that Internet Explorer is
installed; a bit of script will do it:
Set oIE= CreateObject("InternetExplorer.Application")
Do While (oIE.Busy)
Wscript.Sleep 250
Loop
oIE.visible=true
oIE.ToolBar = false
oIE.StatusBar = false
oIE.Resizable = false
oIE.N
Hi,
At the moment I don't know what's causing your problem. I only know that if
something goes wrong with the SYSVOL it CAN/WILL get very messy.
To re-initialize the SYSVOL on all DCs you could do the following:
EXECUTE THIS PROCEDURE VERY CAREFULLY!->TRY THIS FIRST IN A TEST
ENVIRONMENT!!!
F
Title: Ladies and Gentleman, A complex AD/Exchange issue.
Sounds like a process winning over
technology issue here:
A inter-forrest migration tool that will
support a migration with Sid-history and offer an ACL
cleanup should do the job.
What you’re looking for is
a) Transparency f
We had a similar situation in my organization where we when the user presses
Control+Alt+Del They get the GPO that sets the Legal Notice, but we also
needed the notice to pop up after the user logged in. Our solution was to
use the GPO, plus a small C program that created a window with the text
af
I have encountered an issue where FRS is generating a huge amount of network
traffic, as a result of certain SYSVOL folders having their read only
attribute updated on a *very* regular basis.
Whilst I do not (yet) understand why only certain folders are r/o and why this
generates so much network t
Title: Ladies and Gentleman, A complex AD/Exchange issue.
Assuming that all domains are Windows 2000
native mode I would have thought that a account move using the SID history
property should be able to handle this. Have a look at either the Quest or
Net-IQ tools. The same should hold for t
45 matches
Mail list logo